Disabling Authentication completely

[PrtmPhlp]

Explain what happens

I would like to use Cockpit with the SSO system Authentik.
Because I already have authentication, I would like to deactivate the Cockpit Auth system. I could not find any specific instructions in the Docs.
Any help would be appreciated.
I also get the following error message when I log in normally with Cockpit after the Authentik authentication:

I pasted the Systemlogs below.
Thanks for your help and thank you for developing this Project!

Version of Cockpit

311-1~bpo23.10.1

Where is the problem in Cockpit?

Networking

Server operating system

Ubuntu

Server operating system version

Ubuntu 23.10

What browsers are you using?

Chrome

System log

Mär 31 07:12:47 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 07:12:48 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 07:12:48 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: No supported cipher suites have bee>
Mär 31 07:12:49 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 07:12:50 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 07:12:51 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 07:12:51 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: Error in the pull function.
Mär 31 07:12:52 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: Error in the pull function.
Mär 31 07:12:52 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: No supported cipher suites have bee>
Mär 31 07:12:52 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: Error in the pull function.
Mär 31 08:07:10 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 08:07:15 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: No supported cipher suites have bee>
Mär 31 09:07:47 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:07:47 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: No supported cipher suites have bee>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: No supported cipher suites have bee>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: No supported cipher suites have bee>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: The TLS connection was non-properly>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: No supported cipher suites have bee>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>
Mär 31 09:08:36 Digitalocean cockpit-tls[3756561]: cockpit-tls: gnutls_handshake failed: A packet with illegal or unsupporte>

[martinpitt]

I suppose that's https://goauthentik.io/ ? This looks like a web-based authentication mechanism (similar to OAuth?). Cockpit is a real Linux session, so you need to authenticate to a Linux user account somehow, and that has to involve PAM at some point. cockpit-ws ships with cockpit-session (handling password, kerberos/SSO, or certificate logins). In principle you can create your own session authentication and starting script and configure it in cockpit.conf, but note that this is some non-trivial work.

You can disable authentication completely if you don't use cockpit.socket and cockpit-tls, but instead start cockpit-ws directly as the target user. You can experiment with /usr/lib/cockpit/cockpit-ws -a 127.0.0.1 --local-session=cockpit-bridge . But ⚠️ This is completely insecure by itself -- everyone on localhost can then access port 9090 and get an immediate session as that target user.

All the TLS errors and the "connection failed" usually mean that you try to talk TLS to a non-TLS cockpit-ws, i.e. some misconfiguration in the reverse proxy. Your setup is appparently rather complex and you didn't really describe it.

[PrtmPhlp]

First of all, thank you for taking the time to answer!
I'm currently hosting a Next.js web server through a DigitalOcean VPS and using Nginx Proxy Manager as my reverse proxy. I thought of using Cockpit for a quick overview of the VPS health status and enhancing security by placing it behind my Authentik (goauthentik.io) proxy provider's authentication server. However, I'm concerned that publishing it directly to the internet might not be the best security practice for me for this project.

My only question is: Is this project intended solely for managing your Linux server on a localhost level, or are there aspects I'm overlooking that would make it safely accessible to the public?

Thanks again for taking your time!

[martinpitt]

Cockpit's goal is to be a full Linux user session, with authentication, user D-Bus and all bells and whistles. Similar to what you get on a VT, in Gnome etc., but in a web browser. It's not meant to be an unauthenticated public monitoring tool. You can certainly build it that way - create a heavily confined user which can't do anything serious on a machine, and then do the --local-session thing as that user. But making that safe is incredibly hard -- even as completely unprivileged user you can still use up CPU, RAM, disk space, networking, etc. (think "run a bitcoin miner"). So please don't put this on the open internet -- inside of a VPN is ok.

Sorry for the late answer!